First, you: ACCEPT net fw tcp 4662 ACCEPT net fw udp 4672,4673,4665 Then you: DNAT net lan tcp 4662 DNAT net lan udp 4672,4673,4665 How is shorewall supposed to know whether to DNAT or ACCEPT a packet that arrives on your "net" adapter? I believe what it does is go with the first match in the rules file, so whatever you do second (probably the DNAT) will never be matched. Try changing the ports you are using on the client and setting your rules up to match, so they don''t conflict with the server. Another thing you should do for your DNAT rule is to specify the host you want, for example: DNAT net lan:10.0.0.5 tcp 4662 -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of sond Sent: Tuesday, January 09, 2007 10:49 AM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] Shorewall and amule Hi all, I''ve installed shorewall 2.2.3-2 on debian sarge (a server with nat, dhcp and dns). I can''t obtain an HighID with amule. This is my configuration: interfaces: net eth1 detect routefilter,tcpflags,blacklist lan eth0 detect blacklist,dhcp zones: net Net lan Local policy: fw net DROP info net fw DROP info lan net DROP info fw lan DROP info lan fw DROP info net all DROP info all all REJECT info Here the rules to allow amule traffic for it: ACCEPT fw net tcp 4662,4661,4242,3000 ACCEPT fw net udp 4672,4673,4665 ACCEPT net fw tcp 4662 ACCEPT net fw udp 4672,4673,4665 I''ve also some lan clients. In the rules file there are these lines to allow amule traffic for lan clients: ACCEPT lan net tcp 4662,4661,4242,3000 ACCEPT lan net udp 4672,4673,4665 DNAT net lan tcp 4662 DNAT net lan udp 4672,4673,4665 Routing is ok. For lan clients I obtain an HighID and Kad is Ok. For the server host I have LowID and Kad is firewalled. How is it possible? Someone can help me? Thanks. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi all, I''ve installed shorewall 2.2.3-2 on debian sarge (a server with nat, dhcp and dns). I can''t obtain an HighID with amule. This is my configuration: interfaces: net eth1 detect routefilter,tcpflags,blacklist lan eth0 detect blacklist,dhcp zones: net Net lan Local policy: fw net DROP info net fw DROP info lan net DROP info fw lan DROP info lan fw DROP info net all DROP info all all REJECT info Here the rules to allow amule traffic for it: ACCEPT fw net tcp 4662,4661,4242,3000 ACCEPT fw net udp 4672,4673,4665 ACCEPT net fw tcp 4662 ACCEPT net fw udp 4672,4673,4665 I''ve also some lan clients. In the rules file there are these lines to allow amule traffic for lan clients: ACCEPT lan net tcp 4662,4661,4242,3000 ACCEPT lan net udp 4672,4673,4665 DNAT net lan tcp 4662 DNAT net lan udp 4672,4673,4665 Routing is ok. For lan clients I obtain an HighID and Kad is Ok. For the server host I have LowID and Kad is firewalled. How is it possible? Someone can help me? Thanks. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Alle Tuesday 09 January 2007 16:34, Bob Coffman Jr - Info From Data ha scritto:> First, you: > ACCEPT net fw tcp 4662 > ACCEPT net fw udp 4672,4673,4665 > > Then you: > > DNAT net lan tcp 4662 > DNAT net lan udp 4672,4673,4665Thanks for the hint! So, whe I want to DNAT a port I have first to ACCEPT net to fw connection for that port. Right? I''ve eliminate the rules for lan clients and I''ve setup amule only for server: ACCEPT fw net tcp 4662,4661,4242,3000 ACCEPT fw net udp 4672,4673,4665 ACCEPT net fw tcp 4662 ACCEPT net fw udp 4672,4673,4665 Finally I''ve HighID but Kad is Firewalld (not too bad), but there''s another question now. In the iptables rules (created by shorewall) I''ve this (for example the tcp part of the previous rules): iptables -L | grep 4662 ACCEPT tcp -- anywhere anywhere multiport dports 4662,4661,4242,3000 ACCEPT tcp -- anywhere anywhere tcp dpt:4662 Why source and destination are both "anywhere"? I think it should be something like that: ACCEPT tcp -- 127.0.0.1 anywhere multiport dports 4662,4661,4242,3000 ACCEPT tcp -- anywhere 127.0.0.1 tcp dpt:4662 Am I wrong? ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
sond wrote:> So, whe I want to DNAT a port I have first to ACCEPT net to fw > connection for that port. Right?No. Shorewall''s DNAT action creates both the DNAT and ACCEPT rules; DNAT- (note the trailing "-") omits generation of the ACCEPT rules.> In the iptables rules (created by shorewall) I''ve this (for example the > tcp part of the previous rules): > > iptables -L | grep 4662 > > ACCEPT tcp -- anywhere anywhere multiport > dports 4662,4661,4242,3000 > > ACCEPT tcp -- anywhere anywhere tcp > dpt:4662 > > Why source and destination are both "anywhere"?Because those rules are in user-defined chains that only gets traffic from net->fw and fw->net. Also, iptables output is much more useful if you use the "-nv" options. In general, you can''t look at a single Netfilter rule out of context and draw any valid conclusions.> I think it should be something like that: > > ACCEPT tcp -- 127.0.0.1 anywhere multiport > dports 4662,4661,4242,3000 > > ACCEPT tcp -- anywhere 127.0.0.1 tcp > dpt:4662 > > Am I wrong?Yes. Completely.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
sond wrote:> > Analizing all the chains I notice that in the INPUT and OUTPUT chains > there is the specification for the input and output interfaces, but > there is no specification for the fw ip like 127.0.0.1 or 192.168.0.1 > (I''ve two NICs).That is because only packets addressed to local addresses (like 127.0.0.1 or 192.168.0.1) enter the INPUT chain. That is controlled by routing and the iptables ruleset doesn''t have to filter packets in the INPUT chain for their destination IP address. For more reading, see: http://www1.shorewall.net/NetfilterOverview.html http://www1.shorewall.net/PacketHandling.html http://www1.shorewall.net/Shorewall_and_Routing.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Alle Tuesday 09 January 2007 19:22, Tom Eastep ha scritto:> No. Shorewall''s DNAT action creates both the DNAT and ACCEPT rules; > DNAT- (note the trailing "-") omits generation of the ACCEPT rules.Ok, thanks for the specification.> Because those rules are in user-defined chains that only gets traffic > from net->fw and fw->net.[...] In general, you can''t look at a single > Netfilter rule out of context and draw any valid conclusions.Please, can you help me to understand this point? Maybe you mean I''ve to look the other chains (INPUT, DROP, REJECT,...) and the user-defined net2fw chain to draw a conclusion? This is (for example) the INPUT chain and the net2fw chain (with the -n -v) Chain INPUT (policy DROP 3 packets, 176 bytes) ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4672,4673,4665 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:'' DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Analizing all the chains I notice that in the INPUT and OUTPUT chains there is the specification for the input and output interfaces, but there is no specification for the fw ip like 127.0.0.1 or 192.168.0.1 (I''ve two NICs). The only one specification for an ip address is in the fw2lan chain for a ssh access: ACCEPT tcp -- * * 0.0.0.0/0 192.168.200.2 tcp dpt:22 So if you can take me a specific explanation (also a link) to resolve my doubt about the 0.0.0.0/0 I would be thankful of it. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Alle Wednesday 10 January 2007 01:34, Tom Eastep ha scritto:> That is because only packets addressed to local addresses (like > 127.0.0.1 or 192.168.0.1) enter the INPUT chain. That is controlled > by routing and the iptables ruleset doesn''t have to filter packets in > the INPUT chain for their destination IP address. > > For more reading, see: > > http://www1.shorewall.net/NetfilterOverview.html > http://www1.shorewall.net/PacketHandling.html > http://www1.shorewall.net/Shorewall_and_Routing.html > > -TomThanks a lot! ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV